WTF is wrong?

[Kindot]

Who tells me what's wrong takes a kiss

if( isset($_POST['anno']) ){
	echo "<select name='squadra'>";
					
		$squadraseltutte = "";
		if ($_POST['squadra'] == "tutte") $squadraseltutte = "selected";
					
		echo "<option value='tutte' ".$squadraseltutte.">Tutte</option>";
					
		$squadre=file('./statistiche/archivio/'.$_POST['anno'].'/squadre.txt');
		for ($num5=0; $num5<=19; $num5++){
			$squadrasel = "";
			if ($_POST['squadra'] == $squadre[$num5]) $squadrasel = "selected";
			echo "<option value=".$squadre[$num5]." ".$squadrasel.">".ucfirst(strtolower($squadre[$num5]))."</option>";
		};
					
	echo "</select>";
}
else echo "<select name='squadra'><option value='tutte' selected>Tutte</option></select>";

It should select the $squadre[$num5] chosen with the $_POST['squadra'] automatically but it selects always the first option anyway. If I choose "Tutte" it works, it selects "Tutte" automatically. What's wrong within the for cicle? Sorry for the bad english and thanks in advance!

[Jacques1]

The option value isn't quoted, so any space will screw up the form.

 

And the concept of security seems to be entirely foreign to you. You let the user choose an arbitrary file path and print the content straight on the screen, and you insert all input directly into your HTML markup. Do you not understand how dangerous this is?

[Kindot]

Thanks for the reply, unfortunately I'm not an expert and it's my first website. It will be accessible only to a few people so I hope it will be good.

However sorry but I didn't understand what did you mean. The option value works because if I select an option the page shows me what i selected, just it doesn't select the option as "selected". Can you please explain to me what you wrote? Any example would be welcome.

[Jacques1]

The value attributes of your options are unquoted, which means the value stops at the first space character, even if it's actually longer. Your strings from the file() call do contain trailing newline characters, so the submitted value no longer matches the real value. It's truncated.

 

Quote your attributes and call file() with the FILE_IGNORE_NEW_LINES flag.

 

 

 

It will be accessible only to a few people so I hope it will be good.

 

How do you know that it's only accessible to a few people?

 

In any case, hope isn't the right approach in programming. Learn the basics of security and make sure your code is actually safe.

Edited August 18, 2016 by Jacques1

[cyberRobot]

However sorry but I didn't understand what did you mean. The option value works because if I select an option the page shows me what i selected, just it doesn't select the option as "selected". Can you please explain to me what you wrote? Any example would be welcome.

 

This

echo "<option value=".$squadre[$num5]." "

Needs to be changed to something like this

echo "<option value='".$squadre[$num5]."' "

Of course, that doesn't address the security issues mentioned by Jacques1.

[Kindot]

It's part of a bigger script, and as I said I am not an expert, I am just implementing something to that.

However, I just tried what you said and it works finally! I completely ignored the existence of that flag, and it was the key, I think because the file has at the end an empty line. Isn't so?
 

About quotes I wasn't able to traduce "quoted" in my language (in italian it becomes an unusual word, and google translate doesn't help), that's why I didn't understand, or you know it or you don't know it. But anyway it needed that flag too.

 

Thanks again! I think I will come back here to ask you something else

[Jacques1]

I completely ignored the existence of that flag, and it was the key, I think because the file has at the end an empty line. Isn't so?

 

The file() function by default always keeps the original newline character at the end of each line. So this has nothing to do with the particular file content. If you want to get rid of the newlines, you need the flag.

 

In the long run, you should abandon those very fragile and limited plaintext files. Either use a proper file format (JSON, YAML, XML, ...) or an actual database system (MySQL, PostgreSQL, ...).